Design for Test (DfT) techniques like Joint Test Action Group (JTAG) are a fundamental help to the testing of complex Integrated Circuits (ICs) and System-on-Chips (SoCs), because they allow a simple and effective means of accessing, as well as reading and modifying, the device internal components. This access is provided via scan chains. Disadvantageously, however, this access that is beneficial during testing can cause many problems for security after the product is sold/deployed. Namely, this same access can be used for malicious reasons, to modify the product, tamper with the product, reverse-engineer the product, or to perform other malicious activities.
As a result, attempts have been made to secure access to ICs and SoCs, such that the access to ICs and SoCs that is used for testing cannot be exploited after the associated products are sold/deployed.
A typical solution for preventing exploitation of the scan chain of a system after testing is to make a hard modification to the system, such that scan chain access to the system becomes impossible. For example, the Test Access Port (TAP) of the system may be burned or removed in some manner. Disadvantageously, however, this solution has multiple drawbacks. First, the JTAG infrastructure itself remains on the system and, thus, an attacker still may be able to access it (e.g., by insertion of probes). The JTAG wires are relatively easy to identify on the board, and the results can be immediate. A famous example of this procedure is unlocking of the first generation Apple iPhone, realized by a student in only a few tries. Second, the DfT infrastructure becomes a “dead weight” on the board and cannot be used anymore, even though many applications (e.g., in-field and online testing) could greatly benefit from such access.
Furthermore, in Field Programmable Gate Array (FPGA)—Complex Programmable Logic Device (CPLD) products, two different approaches are used to disable JTAG access to the configuration area of their devices. A first approach is to use a fuse on a device which, when burnt, disables access to the configuration area of the device. Disadvantageously, however, once the fuse is burnt, no JTAG access is possible until the burnt part is replaced. A second approach is to use a battery backup to support secure storage (e.g., Electrically Erasable Programmable Read-Only Memory (EEPROM), FLASH, or similar storage) containing a key that is used to decrypt the input bitstream. Disadvantageously, however, while this approach enables subsequent JTAG access, the real estate on the device that is needed for the battery backup can be problematic in many applications.